Password reset link expiry time

6 posts by 2 authors in: Forums > CMS Builder
Last Post: August 5   (RSS)

By gversion - July 31

Hello,

Could someone please tell me how long the password reset link that is emailed to users remains active for? I'd also really appreciate it if someone could point me to where I can extend the length of time that the link works for.

Thank you very much!

Regards,

Greg

By gregThomas - August 3

Hey Greg,

The password reset link should remain active for up to 48 hours. Is this for resetting passwords on the front end of the site or in the CMS itself? Updating the reset password code in the CMS would require modifying the core codebase, so it's not recommended. But I can provide you with some sample code for updating the length of the password resets via the Website Membership plugin on the front end of the site if needed.

Cheers,

Greg

Greg Thomas

PHP Programmer - interactivetools.com

By gversion - August 3

Hi Greg,

Thanks for the message.

I am referring to the front-end website website using the website membership plugin.

I'd be very grateful for the example code.

Many thanks,

Greg

By gregThomas - August 4 - edited: August 4

Hey Greg,

I'd highly recommend avoiding increasing the password reset time if possible, as you're reducing the security of your password reset process. Also, as you're changing a core function of one of our plugins we can't provide any support that arises from this change in future. First, you'll need to add this function to your user-password-request.php page after the viewer library has loaded:

  function _custom_isValidPasswordResetCode($userNum, $resetCode) {
    $userNum = (int) $userNum;
  
    // load user
    $user = mysql_get(accountsTable(), $userNum);
    if (!$user) { return false; }
  
    // reset codes are valid for 24-48 hours, check both days
    $codeToday     = _generatePasswordResetCode($userNum, 0);
    $codeYesterday = _generatePasswordResetCode($userNum, -1);
    $threeDaysAgo  = _generatePasswordResetCode($userNum, -2);
    $fourDaysAgo   = _generatePasswordResetCode($userNum, -3);
    $validCodes    = array($codeToday, $codeYesterday, $threeDaysAgo, $fourDaysAgo);
    $isValid       = (int) in_array($resetCode, $validCodes);
  
    //
    return $isValid;
  }

Then, update the line that calls the _isValidPasswordResetCode (line 63 on the default user-password-request.php page) to use our updated function:

    $isValidResetCode = _custom_isValidPasswordResetCode($_REQUEST['userNum'], $_REQUEST['resetCode']);

This code should increase the password security reset time from a maximum of 2 days to 4. 

Thanks,

Greg

Greg Thomas

PHP Programmer - interactivetools.com

By gversion - August 5

Hi Greg,

Thank you for your reply and advice.

The main thing was for me to know how long the link lasted because I am using this function for creating accounts on behalf of users but I do not set a password for them so they need to click the password reset link to set their own password. If they don't do this within the time period then when they click the link it says it has expired and the so the user experience is not great. At least I can now add a message saying the link needs to be clicked within 48 hours.

I will follow your advice and not make any changes to this however it is good learning!

Thanks again,

Greg